CVE-2026-35452
Unauthorized Log Disclosure in WWBN AVideo CloneSite Plugin
Publication date: 2026-04-06
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo versions 26.0 and prior, specifically in the CloneSite plugin. The endpoint plugin/CloneSite/client.log.php serves the clone operation log file without requiring any authentication, unlike other endpoints in the same plugin directory which require admin privileges. This log file contains sensitive information such as internal filesystem paths, remote server URLs, and SSH connection metadata.
How can this vulnerability impact me? :
Because the clone operation log file is accessible without authentication, an attacker can obtain sensitive internal information about the system. This includes filesystem paths, remote server URLs, and SSH connection details, which could be used to facilitate further attacks, reconnaissance, or unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated access to a log file containing internal filesystem paths, remote server URLs, and SSH connection metadata. This exposure of potentially sensitive internal information could lead to non-compliance with data protection standards such as GDPR and HIPAA, which require safeguarding sensitive data and controlling access to it.
However, the provided information does not explicitly state the impact on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the plugin/CloneSite/client.log.php endpoint is accessible without authentication on your WWBN AVideo installation. Since this endpoint serves the clone operation log file without requiring admin privileges, you can attempt to access it directly via HTTP requests.
- Use curl or wget to request the URL: curl -I http://your-avideo-domain/plugin/CloneSite/client.log.php
- Check if the response status is 200 OK and if the content contains internal filesystem paths, remote server URLs, or SSH connection metadata.
- Scan web server logs or use web vulnerability scanners to identify unauthenticated access to this endpoint.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, restrict access to the plugin/CloneSite/client.log.php endpoint to authorized users only.
- Apply authentication checks similar to other endpoints in the CloneSite plugin directory, enforcing User::isAdmin() or equivalent.
- If possible, restrict access to this endpoint via web server configuration (e.g., IP whitelisting or authentication).
- Update WWBN AVideo to a version later than 26.0 where this issue is fixed.
- Avoid exposing sensitive log files publicly to prevent leakage of internal filesystem paths and SSH metadata.